Pablos sez, "
Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out
here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory
here. Phishing attacks of doom coming soon."
Link
(
Thanks, Pablos!)
Update: Chris Smith sez,
1) Goto your Firefox address bar. Enter
about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
Update 2: J Brad Hicks sez, "Contrary to the update you just posted, setting network.enableIDN to false did not fix the problem for me in FireFox 1.0, aka Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0. Not even after quitting the application and re-launching it."
Update 3: Glenn sez, "I had the same problem in the same browser until I used Tools/Options/Privacy to clear the browser's cache. After clearing the cache,
the network.enableIDN setting *does* appear to prohibit the exploit."
Update 4: Salim sez, "It seems that Firefox 1.0 is vulnerable despite applying the
network.enableIDN fix. It works initially, but when the browser is
restarted, the idn feature kicks into life again."
Update 5:Scott sez, "I've done a simple hack to Firefox to make it stick. My how-to is here."
I asked Amy Parness, the co-founder of Sparkle Labs, maker of fantastic educational electronics kits, to write a Medium post about gender and the business of being a maker business person. Her terrific essay calls out the problems with “pink girly engineering kits.” From Medium:
Zero UI is the new term for “invisible interfaces”—what happens in the future when all the clicking and tapping and typing is history: “If you look at the history of computing, starting with the jacquard loom in 1801, humans have always had to interact with machines in a really abstract, complex way.” [Fast Company]
CEO Dick Costolo will resign, to be replaced in the interim by Jack Dorsey
The modern business creates mountains of raw data—the challenge being the ability to effectively analyze it. Big data analytics is the ticket to uncovering hidden patterns, correlations, trends, and more, all of which can be the difference maker in your business’s success and competitive advantage. This bundle of more than 130 data and analytics courses […]
Inspired by the universality of symbols, the founders of Noun Project began to collect thousands of hand-drawn icons. The concept has since transformed into a massive digital collection of 150,000+ unique icons that fuel the work of designers every day. Spend less time crafting icons and more time putting amazing designs out into the world […]
Say goodbye to your annoying, bulky key ring—KeySmart organizes your keys in one convenient, compact, and lightweight place. Easily attach up to 10 keys, and use the included loop to latch on your car fob as needed. The award-winning KeySmart is meticulously designed to allow for quick and easy key access, and will rid your […]
